SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

- -- Industrial Control System (ICS) Security Training In-depth, hands-on technical courses taught by top SCADA experts. Gain the most current information regarding SCADA and Control System threats and learn how to best prepare to defend against them. Leave the event with solutions that you can immediately put to use in your organization.

- -- SANS Rocky Mountain 2013 Denver, CO July 14-20, 2013 10 courses. Bonus evening sessions include OODA - The Secret to Effective Security in Any Environment; and APT: It is Not Time to Pray, It is Time to Act. http://www.sans.org/event/rocky-mountain-2013

- -- SANS Virginia Beach 2013 Virginia Beach, VA August 19-30, 2013 10 courses. Bonus evening presentations include Thanks for Recovering ... Now I Can Hack You!; Everything I Know is Wrong!; and So What? The Most Important Question in Information Security. Keynote Address: APT: It is Time to Act. http://www.sans.org/event/virginia-beach-2013

Plus Bangkok, Melbourne, Bangalore, and Baltimore all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org *****************************************************************************

TOP OF THE NEWS

Senate Issues Draft Cybersecurity Bill (July 12, 2013)

The US Senate is circulating a draft cybersecurity bill. A similar measure failed last year. The bill aims to establish voluntary cybersecurity standards for organizations that operate elements of the country's critical infrastructure. It also calls for increased research and development in cybersecurity defenses and increased software vulnerability information sharing. -http://www.nextgov.com/cybersecurity/2013/07/analysis-senate-cybersecurity-bill-uncontroversial-also-unambitious/66578/?oref=ng-channeltopstory-http://www.theregister.co.uk/2013/07/12/senate_critical_infrastructure_cybersecurity_bill/[Editor's Note (Henry): As someone who has been "behind the curtain" and watched these deliberations from the inside over the past seven years, this is frustrating. As a private citizen and a taxpayer, it's frightening. I understand how hard a problem this is and I recognize the competing interests, but some things are of such concern we must step outside our comfort zones and make meaningful decisions, regardless of the political fallout. (Pescatore): If 18 year olds read newspapers, they would have been able to read this story every year since they were first able to read. ]

Revised guidelines from the US Department of Justice limit the government's access to journalists' records except in cases in which the journalist is the subject of a criminal investigation. Ideally, journalists are protected by the First Amendment regarding freedom of the press and the Fourth Amendment regarding unreasonable search and seizure, as well as the privacy Protection Act and other laws. The need for a revised and clarified policy became evident when the government launched an inquiry that characterized a journalist as a spy, criminalizing his efforts to obtain information from a source; and when the government obtained phone records for AP journalists. -http://www.informationweek.com/government/policy/doj-limits-seizure-of-reporters-data/240158225-http://www.justice.gov/iso/opa/resources/2202013712162851796893.pdf

A report from California's attorney general found that in 2012, 2.5 million California residents had their personal information compromised in the 131 security breaches that were reported to the AG's office. The report also notes that had companies encrypted their stored data, 1.4 million people would not have had their personal information exposed. Under state law, breaches do not need to be reported if the data affected are encrypted. -http://www.scmagazine.com/california-data-breach-study-indicates-lack-of-encryption/article/302866/ Press Release: -http://oag.ca.gov/news/press-releases/attorney-general-kamala-d-harris-releases-report-data-breaches-25-million[Editor's Note (Pescatore): There is good data in this report but the encryption analysis is way too simplistic. Encrypting data would have prevented a breach in about 28% of the incidents - but only if the encryption was done right. The low hanging fruit (most promising technology) here is laptop and portable media encryption, which has the least barriers to success - lost or stolen devices/media accounted for 80% of those preventable data breaches. (Shpantzer): I agree with John on this, that removable media and laptop encryption is usually easier than on the server side, where a little database and application security goes a long way. ]

Sony Drops Fine Appeal (July 12 & 15, 2013)

Sony has abandoned its appeal of a GBP 250,000 (US $376,000) fine imposed after a 2011 PlayStation Network (PSN) hack. The UK Information Commissioner's Office (ICO) fined Sony in January 2013, after finding the company negligent for inadequately protecting PSN user data. Sony initially said it would appeal the fine, but has since changed its position, citing the company's "commitment to protect[ing ] the confidentiality of [its ] network security from disclosures in the course of the proceedings." Sony has stated that it remains opposed to the decision. -http://www.bbc.co.uk/news/technology-23313535-http://www.v3.co.uk/v3-uk/news/2281269/sony-gives-up-gbp250-000-fine-appeal-after-playstation-hacks[Editor's Note (Pescatore): In 2011 Sony publicly admitted that its failure to protect the PlayStation Network had direct costs of $170M, and I remember doing an estimate at the time that put it closer to $300M. A fine of $376K is rounding error - which is the case with most medium to large disclosure events. ]

National Security Agency (NSA) chief General Keith Alexander has had success with collecting huge amounts of data and scouring them for information to solve problems. In an effort to stop attacks harming US troops in Iraq in 2005, Alexander ordered the collection of Iraqi text messages, phone calls, and email communication. The program, which was called the Real Time Regional Gateway, significantly reduced the number of deaths within three years. A former senior US intelligence official described Alexander's approach like this: "Rather than look for a single needle in the haystack, his approach was, 'Let's collect the whole haystack.'" Alexander became head of the Pentagon's US Cyber Command in 2010 while remaining in his position at NSA. -http://www.washingtonpost.com/world/national-security/for-nsa-chief-terrorist-threat-drives-passion-to-collect-it-all/2013/07/14/3d26ef80-ea49-11e2-a301-ea5a8116d211_story.html

NHS Surrey has been fined GBP 200,000 (US $302,000) over data remaining on a hard drive sold on eBay. The storage device held records of nearly 3,000 patients and had been given to a third-party for secure destruction. The drive in question was in a PC that was part of a lot provided to the data destruction company. All the hard drives and data were supposed to be destroyed, and the company had provided certificates saying that the actions agreed upon had been taken. The ICO chastised the hospital for providing inadequate oversight of the data destruction company. -http://news.techworld.com/security/3457470/hospital-fined-200000-after-hard-drive-full-of-patient-data-bought-on-ebay/-http://www.v3.co.uk/v3-uk/news/2281258/nhs-surrey-hit-by-gbp200-000-fine-after-patient-data-found-on-computers-sold-at-auction[Editor's Note (Shpantzer): Data and devices have a lifecycle and many orgs ignore the disposal phase altogether, so it's sad to see stories like these where there was even a consideration of the disposal phase. I'd like to see ICO (or whoever does that in the UK) going after the seemingly-fraudulent data disposal company, who issued 'certificates' of destruction, which either never happened or was not properly done. Assuming that this company has other customers who thought their drives were properly disposed of, is ICO (or whoever does that in the UK) pulling on that thread?]

Chinese Cyberespionage Group Using Dropbox and WordPress (July 10, 2013)

A Chinese cyberespionage group has reportedly begun using Dropbox and WordPress to spread malware and further its forays into target computer networks. The group is the same one believed to have been responsible for attacks on the New York Times. The attackers register for a Dropbox account, upload the specially crafted content, and share it with targeted users. A memo that purported to be from the US-ASEAN (Association of Southeast Asian Nations) business council was used as bait. Once the targets opened the file, the embedded malware contacts a WordPress blog for commands to reach a command-and-control server. -http://www.nbcnews.com/technology/dropbox-used-chinese-hackers-spread-malware-6C10642402-http://www.darkreading.com/attacks-breaches/dropbox-wordpress-used-as-cloud-cover-in/240158057[Editor's Note (Pescatore): Sort of a "dog bites man" story, no? A far more interesting story ("man bites dog") would be: "For the first time in recorded history, going back to the Stone Age, bad guys decided *not* to use the same technology the good guys are using." (Henry): We've monitored this adversary for several years, and this latest tactic demonstrates their continued evolution. Defenders filter outbound ports, and the adversary uses C2 sites that are difficult or impossible for administrators to block...yet another example of electronic "cat and mouse." ]************************************************************************ The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/